Key Findings
ScamVerify™ analyzed 74,032 malicious domains from the URLhaus threat intelligence feed, a significant increase from our previous 69,088-domain analysis. The updated data reinforces a counterintuitive conclusion: the domain extension most people trust is also the one most frequently weaponized.
.com domains host 60,047 malicious sites, representing 81% of all tracked malware domains. That single statistic should change how everyone evaluates website safety.
The Full Picture: 74,032 Domains by TLD
| Rank | TLD | Malicious Domains | Share |
|---|---|---|---|
| 1 | .com | 60,047 | 81.1% |
| 2 | .net | 7,272 | 9.8% |
| 3 | .org | 4,007 | 5.4% |
| 4 | .xyz | 728 | 1.0% |
| 5 | Other | 1,388 | 1.9% |
| 6 | .online | 191 | 0.3% |
| 7 | .site | 189 | 0.3% |
| 8 | .ru | 132 | 0.2% |
| 9 | .cn | 33 | 0.04% |
| 10 | .top | 19 | 0.03% |
The top three "trusted" TLDs (.com, .net, .org) collectively host 96.3% of all malicious domains in our database. Meanwhile, exotic TLDs that trigger suspicion, like .xyz, .online, and .site, account for a combined 1.6%.
Cross-Referencing With ThreatFox
URLhaus is not the only threat feed ScamVerify monitors. ThreatFox, also operated by abuse.ch, tracks 60,758 indicators of compromise (IOCs) including malware command-and-control servers, phishing infrastructure, and credential harvesting endpoints. The ThreatFox data confirms the same pattern: mainstream TLDs dominate the threat landscape.
Together, these two feeds provide ScamVerify with visibility into 134,790 threat indicators across the internet.
Why .com Is the Preferred Weapon
Automatic Trust
Decades of internet usage have conditioned people to associate .com with legitimacy. When a phishing email links to bank-security-update.com, recipients are far less likely to question it than if the link pointed to bank-security-update.xyz. Attackers exploit this deeply ingrained bias.
Registration Volume Provides Cover
With over 160 million active .com registrations worldwide, malicious domains are statistical noise. Security teams and registrars cannot review every new registration, and the sheer volume means malicious domains can operate for days before detection.
Cost Is Irrelevant to Attackers
A .com domain costs $10-12 per year. A .xyz domain costs $1-2. The $8-10 difference is meaningless to an attacker who expects to extract thousands of dollars from victims. The higher success rate of .com phishing campaigns more than justifies the marginal cost increase.
Automated Registration at Scale
The .com registrar ecosystem includes thousands of providers, many offering fully automated registration with minimal identity verification. Attackers can register dozens of domains in minutes, use each for 24-72 hours, and move on.
The Myth of "Suspicious" TLDs
The conventional wisdom to "avoid websites with weird domain extensions" is not just outdated. It is actively harmful because it creates a false sense of security around .com domains.
| Common Advice | Reality |
|---|---|
| "Only trust .com websites" | .com hosts 60,047 malicious domains |
| "Avoid .xyz and .online" | These host only 919 combined (1.3%) |
| "Look for the padlock icon" | 82% of phishing sites use HTTPS |
| "Strange TLDs mean danger" | 96.3% of threats use .com, .net, or .org |
This does not mean .xyz or .online domains are inherently safe. It means that TLD alone is a useless signal for determining whether a website is legitimate.
What Actually Determines if a Website Is a Scam
1. Domain Age
Newly registered domains are dramatically more likely to be malicious. A domain registered last week claiming to be a major retailer is almost certainly fraudulent. Check registration dates through WHOIS lookup tools.
2. Content Quality Signals
Look for inconsistent branding, placeholder text in footer pages, and policies copied from other websites. Legitimate businesses invest in their web presence over time.
3. Threat Database Status
Services like ScamVerify check URLs against URLhaus (74,032 malicious domains), ThreatFox (60,758 IOCs), and other threat feeds. A clean result does not guarantee safety, but a positive match is a definitive red flag.
4. Contact and Business Verification
Real businesses have verifiable physical addresses, working phone numbers, and consistent online footprints across multiple platforms. A website with no contact information beyond a form is suspicious regardless of its TLD.
5. SSL Certificate Context
The padlock icon means the connection is encrypted. It says nothing about who operates the website. Free certificates from Let's Encrypt are used by both legitimate sites and phishing operations. Check who issued the certificate and whether the domain matches the organization it claims to represent.
How to Check Any Website
The fastest way to evaluate a suspicious URL is to run it through ScamVerify's website checker. The analysis checks the domain against URLhaus, ThreatFox, and additional threat intelligence feeds, then delivers a plain-English risk assessment.
For a complete manual verification process, our guide on how to check if a website is safe walks through each step.
Check any URL now
Paste a URL to scan it against 74,000+ threat domains and real-time intelligence.
Methodology
Data source: URLhaus, operated by abuse.ch, collects and shares URLs used for malware distribution. ThreatFox, also by abuse.ch, aggregates indicators of compromise from the broader security community.
Analysis: ScamVerify extracted the domain and TLD from each of the 74,032 URLhaus entries. Domains were grouped by TLD using suffix matching. The "Other" category includes country-code TLDs and niche TLDs with fewer than 100 malicious domains each.
Limitations: URLhaus focuses on malware distribution URLs. Phishing-only databases may show different distributions. The data represents domains that have been identified and reported. Unknown malicious domains are not captured.
Data snapshot: Production data as of March 2026.
FAQ
If .com is so dangerous, should I avoid .com websites?
No. The vast majority of .com domains are legitimate. The point is that you cannot use the .com extension as evidence that a website is safe. Evaluate each website on its own merits: domain age, business presence, threat database status, and content quality.
Which TLD is actually the safest?
No TLD is inherently safe or unsafe. The .gov TLD is the closest to a trust signal because it requires verified government entity registration. For all commercial TLDs, safety depends entirely on who registered the domain and what they are doing with it.
How does ScamVerify use this data?
ScamVerify checks every URL submitted through the website checker against 74,032 URLhaus domains and 60,758 ThreatFox IOCs in real time. The AI synthesizes these checks with domain age, hosting data, and content analysis into a single risk assessment.
Are .ru and .cn domains more dangerous per capita?
Possibly. While .ru (132 domains) and .cn (33 domains) represent tiny fractions of the URLhaus database in absolute terms, they have far fewer total registrations than .com. On a per-registration basis, some smaller TLDs may have higher malicious ratios. However, the absolute risk to consumers is overwhelmingly concentrated in .com.
